hi! I am back again with another problem. My sister's laptop (an Asus EeePC) is infected with Win32/PSW.OnlineGames.NWH which she got from an officemate's USB drive. Her company installed NOD32 as her av scanner and it keeps cleaning the autorun.inf and another file but keeps getting re-infected.
I installed Spybot and ran it then updated her NOD32 and scanned her PC.

Here is her HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:29 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Asus\EeePC ACPI\AsTray.exe
C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\amanda\My Documents\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\Asus\EeePC ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB7EE7F8-58CC-47B8-90F7-85E288741C61}: NameServer = 129.37.2.107,129.37.2.112
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 4420 bytes

EDIT: after restarting the laptop it now stops with the message that Windows has stopped the loading of Windows Explorer to protect the system. :(

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Hi LoPhatPhuud! Glad to have your help again.

Btw, after I shutdown her laptop and started it up again after several minutes, the previous problem disappeared, Windows now loads fine.

Here's the Combofix log:


ComboFix 08-06-09.7 - amanda 2008-06-11 9:29:16.2 - NTFSx86
Running from: C:\Documents and Settings\amanda\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-10 18:07 . 2008-06-10 18:07 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-06-10 18:07 . 2008-06-10 19:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 22:52 . 2008-05-31 22:52 17,868 --ah-c--- C:\WINDOWS\system32\mlfcache.dat
2008-05-31 22:43 . 2008-05-31 22:43 <DIR> d----c--- C:\Program Files\mIRC
2008-05-31 22:43 . 2008-05-31 23:46 <DIR> d----c--- C:\Documents and Settings\amanda\Application Data\mIRC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 18:21 --------- dc----w C:\Program Files\ESET
2008-04-24 08:13 --------- dc----w C:\Program Files\VLCPortable
2008-04-24 07:35 --------- dc----w C:\Program Files\RocketDock
2008-04-24 07:33 --------- dc----w C:\Program Files\Rainlendar2
2008-04-24 04:56 --------- dc----w C:\Program Files\Yahoo!
2008-04-24 04:56 --------- dc----w C:\Documents and Settings\amanda\Application Data\Yahoo!
2008-04-23 23:35 100,475 -c--a-w C:\WINDOWS\UninstallFirefox.exe
2008-04-22 16:02 --------- dc----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-22 12:27 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-22 12:27 298,104 -c--a-w C:\WINDOWS\system32\imon.dll
2008-04-22 12:27 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-22 11:43 --------- dc----w C:\Program Files\Microsoft ActiveSync
2008-04-22 11:30 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-04-22 11:28 --------- dc----w C:\Program Files\Asus
2008-04-22 11:02 --------- dc----w C:\Program Files\Atheros
2008-04-22 10:58 --------- dc----w C:\Program Files\Realtek
2008-04-22 10:57 315,392 -c--a-w C:\WINDOWS\HideWin.exe
2008-04-22 10:57 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-04-22 10:55 --------- dc----w C:\Program Files\Synaptics
2008-04-22 10:53 --------- dc----w C:\Documents and Settings\All Users\Application Data\Atheros
2008-04-22 10:53 --------- dc----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-04-22 10:50 --------- dc----w C:\Program Files\Intel
2008-04-22 09:55 --------- dc----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 -c--a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-10_21.03.28.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 08:07:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 01:24:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-10 12:25:57 40,394 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-11 01:29:37 40,394 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-10 12:25:57 312,172 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-11 01:29:37 312,172 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 18:23 1365504]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2007-05-03 17:42 376921]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-18 22:40 102400]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-04 16:52 16841216 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-04 14:22 1826816 C:\WINDOWS\SkyTel.exe]
"AsusTray"="C:\Program Files\Asus\EeePC ACPI\AsTray.exe" [2007-09-28 15:45 77824]
"AsusACPIServer"="C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe" [2007-10-02 13:21 450560]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-22 20:27 949376]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-22 14:43 104984]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-22 14:43 121368]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-22 14:43 100888]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R3 AsusACPI;ASUS ACPI Driver;C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys [2007-07-26 20:00]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-08-22 16:50]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 19:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be77530b-11d0-11dd-b4b8-001fc62eb7b9}]
\Shell\AutoRun\command - D:\tfk8.exe
\Shell\explore\Command - D:\tfk8.exe
\Shell\open\Command - D:\tfk8.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 09:33:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [2648] 0x8629DAD0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
Completion time: 2008-06-11 9:34:36
ComboFix-quarantined-files.txt 2008-06-11 01:34:31
ComboFix2.txt 2008-06-10 13:03:51

Pre-Run: 549,023,744 bytes free
Post-Run: 536,547,328 bytes free

105 --- E O F --- 2008-06-10 09:38:52

There was an infection shown in the HJT log, but not in the ComboFix log. Most likely NOD32 removed it and the registry entry. The references to the original file that installed the garbage is still there and we'llo use ComboFix to remove it.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

[quote]
File::
C:\WINDOWS\system32\amvo.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be77530b-11d0-11dd-b4b8-001fc62eb7b9}]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also, please run HiJackThis again and post a new log in this thread. Note that a HJT log was requeted as part of my last post. PLease take the time to be certain you are doing all the was requested.

Hi, I was doing the Combofix test this morning (it was running already) as you requested but then the laptop shut down. I wasn't sure if it was able to complete the process or not.

I ran Combofix (a new download) since I wasn't sure if I could run again the altered Combofix I made. Really sorry LoPhatPhuud about this.

Here's the log:

ComboFix 08-06-10.5 - amanda 2008-06-12 22:56:33.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.669 [GMT 8:00]
Running from: C:\Documents and Settings\amanda\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 22:42 . 2008-06-12 22:42 <DIR> d----c--- C:\WINDOWS\LastGood
2008-06-12 09:42 . 2008-04-14 19:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 09:42 . 2008-04-14 19:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 18:07 . 2008-06-10 18:07 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-06-10 18:07 . 2008-06-10 19:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 22:52 . 2008-05-31 22:52 17,868 --ah-c--- C:\WINDOWS\system32\mlfcache.dat
2008-05-31 22:43 . 2008-05-31 22:43 <DIR> d----c--- C:\Program Files\mIRC
2008-05-31 22:43 . 2008-05-31 23:46 <DIR> d----c--- C:\Documents and Settings\amanda\Application Data\mIRC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 18:21 --------- dc----w C:\Program Files\ESET
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-24 08:13 --------- dc----w C:\Program Files\VLCPortable
2008-04-24 07:35 --------- dc----w C:\Program Files\RocketDock
2008-04-24 07:33 --------- dc----w C:\Program Files\Rainlendar2
2008-04-24 04:56 --------- dc----w C:\Program Files\Yahoo!
2008-04-24 04:56 --------- dc----w C:\Documents and Settings\amanda\Application Data\Yahoo!
2008-04-23 23:35 100,475 -c--a-w C:\WINDOWS\UninstallFirefox.exe
2008-04-22 16:02 --------- dc----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-22 12:27 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-22 12:27 298,104 -c--a-w C:\WINDOWS\system32\imon.dll
2008-04-22 12:27 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-22 11:43 --------- dc----w C:\Program Files\Microsoft ActiveSync
2008-04-22 11:30 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-04-22 11:28 --------- dc----w C:\Program Files\Asus
2008-04-22 11:02 --------- dc----w C:\Program Files\Atheros
2008-04-22 10:58 --------- dc----w C:\Program Files\Realtek
2008-04-22 10:57 315,392 -c--a-w C:\WINDOWS\HideWin.exe
2008-04-22 10:57 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-04-22 10:55 --------- dc----w C:\Program Files\Synaptics
2008-04-22 10:53 --------- dc----w C:\Documents and Settings\All Users\Application Data\Atheros
2008-04-22 10:53 --------- dc----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-04-22 10:50 --------- dc----w C:\Program Files\Intel
2008-04-22 09:55 --------- dc----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 -c--a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-10_21.03.28.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 08:07:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-12 14:39:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 11:01:02 272,128 -c----w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2006-07-13 08:48:58 202,240 -c----w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c----w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2008-05-09 06:35:06 16,863,864 -c--a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 -c--a-w C:\WINDOWS\system32\MRT.exe
- 2008-06-10 12:25:57 40,394 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-12 14:44:29 40,394 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-10 12:25:57 312,172 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-12 14:44:29 312,172 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-03-06 01:22:36 14,048 -c----w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 -c----w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 18:23 1365504]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2007-05-03 17:42 376921]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-18 22:40 102400]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-04 16:52 16841216 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-04 14:22 1826816 C:\WINDOWS\SkyTel.exe]
"AsusTray"="C:\Program Files\Asus\EeePC ACPI\AsTray.exe" [2007-09-28 15:45 77824]
"AsusACPIServer"="C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe" [2007-10-02 13:21 450560]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-22 20:27 949376]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-22 14:43 104984]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-22 14:43 121368]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-22 14:43 100888]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R3 AsusACPI;ASUS ACPI Driver;C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys [2007-07-26 20:00]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-08-22 16:50]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 19:52]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 23:00:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [3444] 0x85D8A330

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
Completion time: 2008-06-12 23:01:51
ComboFix-quarantined-files.txt 2008-06-12 15:01:46
ComboFix2.txt 2008-06-12 01:52:19
ComboFix3.txt 2008-06-11 01:34:37
ComboFix4.txt 2008-06-10 13:03:51

Pre-Run: 508,424,192 bytes free
Post-Run: 488,902,656 bytes free

116 --- E O F --- 2008-06-12 14:49:55

And here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:20 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Asus\EeePC ACPI\AsTray.exe
C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\amanda\My Documents\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\Asus\EeePC ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C097A05-48E6-4770-9CFA-3FB33931D6DF}: NameServer = 58.69.254.3 58.69.254.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB7EE7F8-58CC-47B8-90F7-85E288741C61}: NameServer = 129.37.2.107,129.37.2.112
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 4184 bytes

Hi, I decided to redo LoPhatPhuud's last instructions, the laptop experienced fatal error in my middle of the Combofix scan again and restarted. I did a disk error check and started windows again and now it's working fine.
I ran Combofix as instructed and ran HJT. By the way, I did a virus scan with NOD32 and it still detected5 infected files. Here are my logs:
Thank you.

COMBOFIX

ComboFix 08-06-12.2 - amanda 2008-06-15 1:13:17.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.650 [GMT 8:00]
Running from: C:\Documents and Settings\amanda\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\amanda\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-12 09:42 . 2008-04-14 19:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 09:42 . 2008-04-14 19:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 18:07 . 2008-06-10 18:07 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-06-10 18:07 . 2008-06-10 19:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 22:52 . 2008-05-31 22:52 17,868 --ah-c--- C:\WINDOWS\system32\mlfcache.dat
2008-05-31 22:43 . 2008-05-31 22:43 <DIR> d----c--- C:\Program Files\mIRC
2008-05-31 22:43 . 2008-05-31 23:46 <DIR> d----c--- C:\Documents and Settings\amanda\Application Data\mIRC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 18:21 --------- dc----w C:\Program Files\ESET
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2008-04-24 08:13 --------- dc----w C:\Program Files\VLCPortable
2008-04-24 07:35 --------- dc----w C:\Program Files\RocketDock
2008-04-24 07:33 --------- dc----w C:\Program Files\Rainlendar2
2008-04-24 04:56 --------- dc----w C:\Program Files\Yahoo!
2008-04-24 04:56 --------- dc----w C:\Documents and Settings\amanda\Application Data\Yahoo!
2008-04-23 23:35 100,475 -c--a-w C:\WINDOWS\UninstallFirefox.exe
2008-04-23 04:16 826,368 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-04-22 16:02 --------- dc----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-22 12:27 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-22 12:27 298,104 -c--a-w C:\WINDOWS\system32\imon.dll
2008-04-22 12:27 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-22 11:43 --------- dc----w C:\Program Files\Microsoft ActiveSync
2008-04-22 11:30 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-04-22 11:28 --------- dc----w C:\Program Files\Asus
2008-04-22 11:02 --------- dc----w C:\Program Files\Atheros
2008-04-22 10:58 --------- dc----w C:\Program Files\Realtek
2008-04-22 10:57 315,392 -c--a-w C:\WINDOWS\HideWin.exe
2008-04-22 10:57 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-04-22 10:55 --------- dc----w C:\Program Files\Synaptics
2008-04-22 10:53 --------- dc----w C:\Documents and Settings\All Users\Application Data\Atheros
2008-04-22 10:53 --------- dc----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-04-22 10:50 --------- dc----w C:\Program Files\Intel
2008-04-22 09:55 --------- dc----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 -c--a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 18:23 1365504]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2007-05-03 17:42 376921]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-18 22:40 102400]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-04 16:52 16841216 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-04 14:22 1826816 C:\WINDOWS\SkyTel.exe]
"AsusTray"="C:\Program Files\Asus\EeePC ACPI\AsTray.exe" [2007-09-28 15:45 77824]
"AsusACPIServer"="C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe" [2007-10-02 13:21 450560]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-22 20:27 949376]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-22 14:43 104984]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-22 14:43 121368]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-22 14:43 100888]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R3 AsusACPI;ASUS ACPI Driver;C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys [2007-07-26 20:00]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-08-22 16:50]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 19:52]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 01:17:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [2060] 0x852209F8

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
Completion time: 2008-06-15 1:18:35
ComboFix-quarantined-files.txt 2008-06-14 17:18:30
ComboFix2.txt 2008-06-14 16:43:08
ComboFix3.txt 2008-06-12 15:01:53
ComboFix4.txt 2008-06-12 01:52:19
ComboFix5.txt 2008-06-11 01:34:37

Pre-Run: 463,724,544 bytes free
Post-Run: 446,009,344 bytes free

103 --- E O F --- 2008-06-12 15:49:06


HJT


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:41 AM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Asus\EeePC ACPI\AsTray.exe
C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\amanda\My Documents\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\Asus\EeePC ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C097A05-48E6-4770-9CFA-3FB33931D6DF}: NameServer = 58.69.254.3 58.69.254.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB7EE7F8-58CC-47B8-90F7-85E288741C61}: NameServer = 129.37.2.107,129.37.2.112
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 4150 bytes

Both logs are clean. I suspect NOD32 is catching files in your System Restore area.

Post the NOD32 log so I can check. If you're using NOD32 v3, right click on the try icon, select logfiles, and copy the contents of the log and paste in to your post here.

Hi, here are my logs. Thanks!

Threat Logs

Time Module Object Name Threat Action User Information
6/15/2008 1:13:22 AM AMON file C:\DOCUME~1\amanda\LOCALS~1\Temp\Av-test.txt Eicar test file quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\system32\CF26898.exe. The file was moved to quarantine. You may close this window.
6/15/2008 0:37:56 AM AMON file C:\DOCUME~1\amanda\LOCALS~1\Temp\Av-test.txt Eicar test file quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\system32\CF20154.exe. The file was moved to quarantine. You may close this window.
6/15/2008 0:24:19 AM AMON file C:\DOCUME~1\amanda\LOCALS~1\Temp\Av-test.txt Eicar test file quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\system32\CF17320.exe. The file was moved to quarantine. You may close this window.
6/12/2008 22:56:36 PM AMON file C:\DOCUME~1\amanda\LOCALS~1\Temp\Av-test.txt Eicar test file quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\system32\CF25642.exe. The file was moved to quarantine. You may close this window.
6/12/2008 9:47:08 AM AMON file C:\DOCUME~1\amanda\LOCALS~1\Temp\Av-test.txt Eicar test file quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\system32\CF2014.exe. The file was moved to quarantine. You may close this window.
6/11/2008 9:29:30 AM AMON file C:\DOCUME~1\amanda\LOCALS~1\Temp\Av-test.txt Eicar test file quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\system32\CF11498.exe. The file was moved to quarantine. You may close this window.
6/10/2008 20:58:38 PM AMON file C:\DOCUME~1\amanda\LOCALS~1\Temp\Av-test.txt Eicar test file quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\system32\CF28086.exe. The file was moved to quarantine. You may close this window.
6/10/2008 18:22:09 PM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan deleted AMANDA01\amanda Event occurred at an attempt to access the file by the application: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe.
6/10/2008 17:46:28 PM AMON file C:\AutoRun.inf Win32/PSW.OnLineGames.NWH trojan AMANDA01\amanda Event occurred at an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
6/10/2008 1:28:53 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
Time Module Object Name Threat Action User Information
6/10/2008 1:28:44 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:19:15 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:19:14 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:18:50 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:18:49 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:18:24 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:18:24 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:17:59 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:17:59 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:17:34 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:17:34 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:17:09 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:17:09 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:16:44 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:16:44 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:16:19 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:16:18 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:15:54 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:15:53 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:15:28 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:15:28 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:15:03 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:15:03 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:14:38 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:14:38 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:14:13 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:14:13 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:13:48 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:13:48 AM AMON file C:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
6/10/2008 1:13:23 AM AMON file F:\autorun.inf Win32/PSW.OnLineGames.NWH trojan quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.

Event Log

Time Module Event User
6/15/2008 17:53:17 PM Update Function: gethostbyname, parameters: , return value: 11001
6/15/2008 17:53:17 PM Update Update attempt failed (Server connection failure.)
6/15/2008 15:08:29 PM Update Function: gethostbyname, parameters: , return value: 11001
6/15/2008 15:08:29 PM Update Update attempt failed (Server connection failure.)
6/15/2008 8:51:44 AM Update Function: gethostbyname, parameters: , return value: 11001
6/15/2008 8:51:43 AM Update Update attempt failed (Server connection failure.)
6/15/2008 1:23:37 AM NOD32 An alert has been generated. See the on-demand scanner Log for details. AMANDA01\amanda
6/15/2008 1:11:44 AM Kernel Statistical information has been sent to ESET, spol. s r.o.
6/15/2008 1:00:04 AM NOD32 An alert has been generated. See the on-demand scanner Log for details. AMANDA01\amanda
6/15/2008 0:47:29 AM NOD32 An alert has been generated. See the on-demand scanner Log for details. AMANDA01\amanda
6/15/2008 0:13:35 AM Kernel The virus signature database has been successfully updated to version 3186 (20080613).
6/13/2008 8:29:51 AM NOD32 An alert has been generated. See the on-demand scanner Log for details. AMANDA01\amanda
6/13/2008 7:18:37 AM Kernel The virus signature database has been successfully updated to version 3182 (20080612).
6/12/2008 23:44:16 PM Update Function: gethostbyname, parameters: , return value: 11001
6/12/2008 23:44:15 PM Update Update attempt failed (Server connection failure.)
6/12/2008 22:42:09 PM Kernel The virus signature database has been successfully updated to version 3181 (20080612).
6/12/2008 9:41:00 AM Kernel Statistical information has been sent to ESET, spol. s r.o.
6/12/2008 9:40:58 AM Kernel Statistical information has been sent to ESET, spol. s r.o.
6/12/2008 9:40:55 AM Kernel The virus signature database has been successfully updated to version 3179 (20080611).
6/11/2008 21:45:48 PM Update Function: gethostbyname, parameters: , return value: 11001
6/11/2008 21:45:47 PM Update Update attempt failed (Server connection failure.)
6/11/2008 16:26:03 PM Update Function: gethostbyname, parameters: , return value: 11001
6/11/2008 16:26:02 PM Update Update attempt failed (Server connection failure.)
6/11/2008 15:26:03 PM Update Function: gethostbyname, parameters: , return value: 11001
6/11/2008 15:26:02 PM Update Update attempt failed (Server connection failure.)
6/11/2008 14:26:03 PM Update Function: gethostbyname, parameters: , return value: 11001
6/11/2008 14:26:02 PM Update Update attempt failed (Server connection failure.)
6/11/2008 13:26:03 PM Update Function: gethostbyname, parameters: , return value: 11001
6/11/2008 13:26:02 PM Update Update attempt failed (Server connection failure.)
6/11/2008 12:26:03 PM Update Function: gethostbyname, parameters: , return value: 11001
6/11/2008 12:26:03 PM Update Update attempt failed (Server connection failure.)
6/11/2008 11:26:03 AM Update Function: gethostbyname, parameters: , return value: 11001
6/11/2008 11:26:02 AM Update Update attempt failed (Server connection failure.)
6/11/2008 10:26:03 AM Update Function: gethostbyname, parameters: , return value: 11001
6/11/2008 10:26:02 AM Update Update attempt failed (Server connection failure.)
6/11/2008 9:26:38 AM Kernel Statistical information has been sent to ESET, spol. s r.o.
6/11/2008 1:16:55 AM Update Function: gethostbyname, parameters: , return value: 11001
6/11/2008 1:16:54 AM Update Update attempt failed (Server connection failure.)
6/10/2008 23:09:42 PM NOD32 An alert has been generated. See the on-demand scanner Log for details. AMANDA01\amanda
6/10/2008 23:08:02 PM Kernel Statistical information has been sent to ESET, spol. s r.o.
6/10/2008 23:08:00 PM Kernel Statistical information has been sent to ESET, spol. s r.o.
6/10/2008 23:07:58 PM Kernel Statistical information has been sent to ESET, spol. s r.o.
6/10/2008 22:11:39 PM Update Function: gethostbyname, parameters: , return value: 11001
6/10/2008 22:11:37 PM Update Update attempt failed (Server connection failure.)
6/10/2008 21:10:59 PM Kernel The virus signature database has been successfully updated to version 3172 (20080610).
6/10/2008 20:10:53 PM Update Function: gethostbyname, parameters: , return value: 11001
6/10/2008 20:10:53 PM Update Update attempt failed (Server connection failure.)
6/10/2008 19:47:51 PM NOD32 An alert has been generated. See the on-demand scanner Log for details. AMANDA01\amanda
6/10/2008 17:57:56 PM NOD32 An alert has been generated. See the on-demand scanner Log for details. AMANDA01\amanda
6/10/2008 17:09:17 PM Kernel Statistical information has been sent to ESET, spol. s r.o.
6/10/2008 16:15:04 PM Update Function: gethostbyname, parameters: , return value: 11001
6/10/2008 16:15:04 PM Update Update attempt failed (Server connection failure.)
6/10/2008 0:40:47 AM Update Function: gethostbyname, parameters: , return value: 11001
6/10/2008 0:40:46 AM Update Update attempt failed (Server connection failure.)
6/9/2008 23:39:35 PM Kernel Statistical information has been sent to ESET, spol. s r.o.
6/9/2008 23:40:03 PM Kernel Statistical information has been sent to ESET, spol. s r.o.
6/6/2008 10:35:39 AM Update Function: gethostbyname, parameters: , return value: 11001
6/6/2008 10:35:39 AM Update Update attempt failed (Server connection failure.)
6/3/2008 18:08:11 PM NOD32 An alert has been generated. See the on-demand scanner Log for details. AMANDA01\amanda
6/3/2008 18:04:33 PM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 18:04:33 PM Update Update attempt failed (Server connection failure.)
6/3/2008 17:04:34 PM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 17:04:33 PM Update Update attempt failed (Server connection failure.)
6/3/2008 16:04:34 PM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 16:04:33 PM Update Update attempt failed (Server connection failure.)
6/3/2008 15:04:33 PM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 15:04:33 PM Update Update attempt failed (Server connection failure.)
6/3/2008 14:04:34 PM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 14:04:34 PM Update Update attempt failed (Server connection failure.)
6/3/2008 13:04:37 PM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 13:04:37 PM Update Update attempt failed (Server connection failure.)
6/3/2008 11:51:04 AM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 11:51:04 AM Update Update attempt failed (Server connection failure.)
6/3/2008 10:50:27 AM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 10:50:27 AM Update Update attempt failed (Server connection failure.)
6/3/2008 9:50:12 AM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 9:50:11 AM Update Update attempt failed (Server connection failure.)
6/3/2008 8:43:51 AM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 8:43:50 AM Update Update attempt failed (Server connection failure.)
6/3/2008 7:13:27 AM Update Function: gethostbyname, parameters: , return value: 11001
6/3/2008 7:13:27 AM Update Update attempt failed (Server connection failure.)
6/2/2008 22:53:58 PM Update Function: gethostbyname, parameters: , return value: 11001
6/2/2008 22:53:58 PM Update Update attempt failed (Server connection failure.)
6/2/2008 21:15:29 PM Update Function: gethostbyname, parameters: , return value: 11001
6/2/2008 21:15:29 PM Update Update attempt failed (Server connection failure.)
6/2/2008 12:43:55 PM Update Function: gethostbyname, parameters: , return value: 11001
6/2/2008 12:43:55 PM Update Update attempt failed (Server connection failure.)
6/2/2008 10:02:02 AM Update Function: gethostbyname, parameters: , return value: 11001
6/2/2008 10:02:01 AM Update Update attempt failed (Server connection failure.)
6/2/2008 9:02:04 AM Update Function: gethostbyname, parameters: , return value: 11001
6/2/2008 9:02:03 AM Update Update attempt failed (Server connection failure.)
6/2/2008 4:22:51 AM Update Function: gethostbyname, parameters: , return value: 11001
6/2/2008 4:22:51 AM Update Update attempt failed (Server connection failure.)
6/1/2008 22:10:31 PM Update Function: gethostbyname, parameters: , return value: 11001
6/1/2008 22:10:31 PM Update Update attempt failed (Server connection failure.)
6/1/2008 8:15:23 AM Update Function: gethostbyname, parameters: , return value: 11001
6/1/2008 8:15:23 AM Update Update attempt failed (Server connection failure.)
6/1/2008 7:05:04 AM Update Function: gethostbyname, parameters: , return value: 11001
6/1/2008 7:05:04 AM Update Update attempt failed (Server connection failure.)
6/1/2008 0:23:57 AM Update Function: gethostbyname, parameters: , return value: 11001
6/1/2008 0:23:57 AM Update Update attempt failed (Server connection failure.)
5/31/2008 22:24:47 PM Kernel Statistical information has been sent to ESET, spol. s r.o.
5/31/2008 3:20:42 AM Update Function: gethostbyname, parameters: , return value: 11001
5/31/2008 3:20:42 AM Update Update attempt failed (Server connection failure.)
5/31/2008 2:21:44 AM Kernel Statistical information has been sent to ESET, spol. s r.o.
5/31/2008 2:21:39 AM Kernel Statistical information has been sent to ESET, spol. s r.o.
5/31/2008 2:21:32 AM Kernel Statistical information has been sent to ESET, spol. s r.o.
5/31/2008 2:21:27 AM Kernel The virus signature database has been successfully updated to version 3148 (20080530).

Entries such as this one:
6/15/2008 1:13:22 AM AMON file C:\DOCUME~1\amanda\LOCALS~1\Temp\Av-test.txt Eicar test file quarantined - deleted AMANDA01\amanda Event occurred on a new file created by the application: C:\WINDOWS\system32\CF26898.exe. The file was moved to quarantine. You may close this window.

are the result of a program C:\CFnnnnn.exe (where 'n' is any digit) creating an Eicar test file. This is a harmless file, common text, used to test AntiVirus programs. There is nothing harmful about them. The question I have is how many of these CFnnnnn.exe programs are there in the C:\Windows\System32\ folder, and how did they get there?

The other file, C:\autorun.inf can be harmful and NOD32 is appropriately removing it. We need to find what program is creating it. Please open the C:\autorun.inf file (its just a tesxt file) and copy and paste the contents into your next post.

Hi, sorry to reply so late. My sister took the laptop with her to work for the past few days.
I searched for the c:\autorun.inf but it seems that it's no longer in my c drive. I did a scan today and it showed up with 1 infection. I did a screen cap for the log and the alert message that popped up.




Weird though that this infection is not shown in the threat logs or event logs.

The infected file is in your NOD32 quarantine folder. It will continuw to be detected until its removed from quarantine. Open the NOD32 quarantine (right click on the tray icon for v3) and select 'Quarantine'. Click on each item listed (there is probably only one) and delete it.

Thanks LoPhatPhuud for the help. I deleted the quarantined file and did a scan. Nothing was flagged any more as infected. :)

Thanks!